Zyxel has released firmware patches for a critical vulnerability (CVE-2023-27992) in some of its consumer network attached storage (NAS) devices.
CVE-2023-27992 is an OS command injection flaw that could be triggered remotely by an unauthenticated attacker, via a specially crafted HTTP request.
The following versions are impacted by CVE-2023-27992 –
- NAS326 (V5.21(AAZF.13)C0 and earlier, patched in V5.21(AAZF.14)C0),
- NAS540 (V5.21(AATB.10)C0 and earlier, patched in V5.21(AATB.11)C0), and
- NAS542 (V5.21(ABAG.10)C0 and earlier, patched in V5.21(ABAG.11)C0)
The alert comes two weeks after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added two flaws in Zyxel firewalls (CVE-2023-33009 and CVE-2023-33010) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
There is currently no indication that CVE-2023-27992 is being actively exploited. Since Zyxel does not mention workarounds or mitigations, owners/admins of the aforementioned NAS device models are advised to quickly upgrade to the latest firmware version.